Car Hacking: NXP Pushes Flexible Security

The reality is that, while cars have a number of vulnerabilities, the security level needed for each might differ.

It's important to increase security against manipulation of the in-car network, but "you must carefully look into what you need to protect," says Besenbruch. Tightened security shouldn't affect performance. You don't want to delay braking, because a system requires that the order to brake be authenticated, he explains.

The right solution should be compatible with existing architecture and systems, according to Besenbruch. "Current hardware platforms and software components should be modified as little as possible."

Against that backdrop, one of the NXP's proposals is to secure "existing and future systems" by "integrating a secure memory area that can only be written to and read with authorized access."

By integrating a trustworthy element, described as "a trust anchor," into security-related ECUs, NXP believes that the security of data can be improved. Trust anchors, in the form of a security microcontroller, are not new. They are already used in credit cards and telephone SIM cards. NXP is one of the clear leaders in that field.

Secure element in ECU architecture

Source: NXP

A security processor today incorporates such functions as a secure memory area, cryptographic co-processors, management of certificates and private keys, and generation of public keys.

By adding to an ECU a security processor (like one based on NXP's A700x product group -- already used in other industrial applications requiring security), combined with an existing car microcontroller, NXP believes it can offer security-related features that include:

Firewall applications for securing the gateway. For this purpose, communications can be authenticated before being passed on to the relevant sub-bus.

Secure storage applications, such as error logs or mileages, which can only be written to by means of authentication.

Secure boot. This ensures that the software of individual ECUs has not been compromised.

Certification of (electronic) replacement parts. Only authorized ECUs can be introduced into the vehicle network.

Registration with external services through protected connections. The secure element provides the access data for VPN and HTTPS connections.

Of course, in order to determine which ECUs need to be equipped with a trust anchor, one needs to first identify functions and applications that need to be protected against car hacking.

Potential attack and manipulation scenarios by hackers, described by Besenbruch during an interview with EE Times, ranged from modification of mileage, unauthorized geolocating, and installation of malicious codes in MP3 files, to eavesdropping on telephone conversations via Bluetooth and tuning chips through the manipulation of electronic control unit software.

Depending on where such functions -- vulnerable to potential attack -- exist in the in-car network architecture, a secure element should be offered to locally protect those functions, "by saving, calling or authenticating data used by the ECU's main microcontroller, or securing a connection with additional ECUs," explained Besenbruch.

Also, "a secure boot algorithm that prevents manipulation of the software should be implemented in all cases."

Another weak link: the supply chain There's another aspect to automotive security that the industry shouldn't forget, notes Besenbruch. The supply chain could be the weak link.

Management and the chain of custody of keys and secrets for the installed ECUs during module production are critical. Auto companies must specify which partners install the secure element, who installs the keys in the ECU, and how the allocation is managed at every phase in the distribution chain, according to Besenbruch.

Here, NXP maintains that the company's experience in proven procedures from bank and credit card supply chains can be leveraged for use in automotive production.

Editor's note: EE Times's Automotive Designline is examining how the automotive industry and chip suppliers are planning to address automotive security.
This is the second installment. The first article, How Hackers Can Take Control of Your Car, appeared on July 8.

> Was there a real demo of what they could do on an unmodified car with> this type of attack ?

Yes, we were ablee to achieve arbitrary control of automotive systems via this channel. In our car (as with an increasing number of modern cars) the entertainment unit was a CAN bus peer and thus haing compromised the CD player our code then used another exploit to compromise the telematics unit, then downloaded more code and was able to control any ECU in the vehicle. It is quite common that audio parsing is done in software these days to support the plethora of formats demanded by consumers.

We have demonstrating both bridging the explicit CAN gateway and creating an implciit CAN gateway via the telematics unit.

> There aren't many ways someone could connect to your car... actually, none.

Sorry, but this is factully not true for most modern automotbiles. If you read our work, you'll see that we accompmlished remote wireless connection and compromise of our cars via two different channels (and compromise via two other non-wireless channels that did not require direct physical access by the advertsary). I recommend you read our 2011 paper at autosec.org to undewrstand the breadth of the automotive attack surface.

So I'm the aofrementioned Stefan Savage. I wanted to make a plea to please not call this the "Savage" report. It could also be called the Kohno report after my co-PI Yoshi Kohno from the University of Washington. But this too would be wrong. The two of us provided the context, funding and encouragement for doing this work, but all the credit is due to the amazing group of students at UW and UCSD who pulled off the impossible again and again to complete this research. Call it the Checkoway report, or the Koscher report, or the Rosener report or the McCoy report or the Czeskis report if you must (or, more concisely the "Autosec report", after the site autosec.org where we've made our papers available). There is a tendency to fetishize faculty and agreandize their contributions, but I can tell you that you could have locked Yoshi and I in a room with those cars for five years and we would not have pull this off.

If electronics don't make a car safer and more efficient (in that order), then why would we want to add them?

As I read this, I'm thinking of a much cruder crime problem today: there are car burglars wandering the streets of America now with cheap, hand-help boxes that pop the automatic locks on cars as they pass by. Not exactly rocket science, but another example of how an unnecessary convenience is turning into a problem.

Question: Would you buy a safe, efficient car with minimal electronic gadgets (no hands-free audio controls, no power windows or doorlocks), if it were half the price of the standard model with all the extras?

Yes, that makes sense. The automotive companies have always worried about their vehicles being modified. They have made it harder for us to work on our own cars. Making a modification should void the warranty, but they worry about the liability if something happens due to the modification.

But here's the thing. I have been told that there are instances that users try to modify their own cars (or in the case of car sharing, shared cars) to change mileage, Some people also change engine parameters (say, manupilate it from 100 horse power to 120 horse power engine).

Such manipulation on engine parameterscan be done by software, according to my source. And such actions could directly affect reliability of a car, for example.

Junko, good for you and EETimes to surface these issues. I have to say, it is so scary to read the comments by some (I am assuming by the fact they are at the EETimes web site) knowledgeable and educated engineers on this article and your other one:

The ones I refer to are those that are in total denial that cars being developed today are hackable and/or make the arguments that that if the car is hackable, why go to the trouble, just run into it or cut the brake line....

Are none of these engineers aware or following the massive outcry about the security holes in our existing infrustructures? Have they not followed STUXNET ?

Very sad and scary! Shows how much education or quick retirement needs to be done NOW.

I've read the Savage report you mentioned with a lot of interest as it's my job to design such electronics. I designed one of the first MP3 player for car radio in Europe (OEM and aftersale). I can tell you the type of attack (MP3 buffer overvlow) mentioned in the report is just impossible in that case as the MP3 decoder was hardware. I guess it's possible to do a buffer overflow with a software MP3 decoder but I seriously doubt that it could be used to hack the car itself (maybe the car radio alone, even that would be quite time consuming for poor impact). Was there a real demo of what they could do on an unmodified car with this type of attack ?

What makes me think it's impossible to hack a car from the car radio is: The only network beetween the car radio and the rest of the car controllers is the CAN bus, often through gateways (the body network is physically independent of the engine network). CAN reliability is based on hardware message filtering, this way a controller cannot be overflown by a CAN bus. It's part of the validation process of all good designed controllers to check that it cannot crash because of a CAN bus overflow, not be cause of the fear of hacker's attack but more because of the fact that a controller could go crazy on the bus and overflow it (This kind of bug already happened if real life).

Today I design engine and body controllers for different car manufacturers, we do have security schemes in the bootloaders since about 10 years or more. It's mostly based on encrypted keys to allow calibration changes (it's easy to do a BO attack with a calibration change) and updated software download. There are also CRC checks and stuff like that (not talking about key(less) authentification). I know some people could go around these, mostly because of the weakest link: the garages. We need to have the possibility to update the software for the most important controllers of the car, it's a requirement of the car makers. These updates are done in the car repair stations of the brand and these will always remain the weakest link.

The solution to make the controller chip non reprogrammable (mentioned by Patrick) is not applicable in that case. For the controllers that don't need reprogrammability, we just use OTP (One Time Programmable) microcontrollers wich are cheaper thant Flash µC and physically impossible to recode.